cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6738
Views
0
Helpful
3
Replies

TLS failed. Reason: (336130329, 'error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac')

I am getting this error in the mail_logs on just a few incoming connections...   After this error the connection is lost and the sending SMTP server is unable to send e-mail to us.

 

Any idea what this is and how I correct it?

3 Replies 3

Libin Varghese
Cisco Employee
Cisco Employee

Hi,

 

The error suggests the sending server was not able to negotiate TLS with the ESA.

 

This could be due to a mis-match in TLS versions offered or not being able to agree upon a cipher.

 

The ciphers configured to be offered by the ESA can be viewed from the GUI System Administration -> SSL Configuration or from the CLI sslconfig -> verify -> Paste the cipher string for inbound seen from the GUI.

 

You can also set up a packet capture on the ESA for the sending IP to confirm why the connection was not successful.

 

In TLS, the Client ESA offers the supported protocol and ciphers to the Server in the "Client Hello“. The TLS Server makes a decision on the cipher and takes the first match from the ordered cipher suites that are offered.

 

Regards,

Libin Varghese

Thanks for fast reply,

 

in ssl configuration :

 

Inbound SMTP method: tlsv1_0tlsv1_1tlsv1_2tlsv1_0tlsv1_1tlsv1_2
Inbound SMTP ciphers:
RC4-SHA
RC4-MD5
ALL
-aNULL
-EXPORT

 

SSLV3 method not configured, this is the issue or not? , if not what is the the error in SMTP method or ciphers that cause the tls failed (SSL routines:SSL3_GET_RECORD) ?

 

Thanks

SSLv3 ciphers are used by TLSv1.

 

TLSv1 does not have a dedicated set of ciphers apart from that.

 

Based on the configuration it appears to be default, so you can set up a packet capture or contact the sender to confirm what ciphers they require to be offered.

 

- Libin V